Upload
jakobe-felice
View
228
Download
0
Tags:
Embed Size (px)
Citation preview
HIPAAPrivacy
Training
2
HIPAA
Background
Health Insurance Portability and Accountability Act of 1996
Copyright 2010 MHM Resources LLC
Copyright 2010 MHM Resources LLC 3
Portability
Part One – Portability, access, and renewability requirements
Copyright 2010 MHM Resources LLC 4
Administrative Simplification
Part Two – Administrative Simplification
Standards for maintenance and transmission of health information
Copyright 2010 MHM Resources LLC 5
Privacy
Part Three – Privacy
The privacy regulations govern how individually identifiable medical information must be protected.
Security
Part Four – Security
Regulates how health plans and other covered entities that electronically maintain or transmit PHI implement reasonable and appropriate safeguards for the availability and protection of electronic protected health information (PHI)
Copyright 2010 MHM Resources LLC 6
Breach Notification
Part Five – Breach Notification
Health Information Technology for Economic and Clinical Health (HITECH) Act
Outlines how affected individuals must be notified if there is a breach of their “unsecured” PHI
Disclosure Log
Effective September 23, 2009
Copyright 2010 MHM Resources LLC 7
Copyright 2010 MHM Resources LLC 8
Flexible Benefit Plans
The Health Flexible Spending Account (FSA), or unreimbursed medical portion of a cafeteria plan; or a Health Reimbursement Arrangement (HRA) are considered to be health and welfare benefit plans.
Copyright 2010 MHM Resources LLC 9
HIPAA Definitions
Covered Entity
A healthcare provider that conducts certain transactions in electronic form
A healthcare clearinghouse
A health plan - includes all the employer's welfare benefit plans like health insurance, a Health FSA within a cafeteria plan, and any HRAs.
Copyright 2010 MHM Resources LLC 10
HIPAA Definitions
If you are an employer, you are generally not a covered entity. Employees, the plan, and its Business Associates may not freely share information with the employer unless firewalls exist to contain the information.
Copyright 2010 MHM Resources LLC 11
HIPAA Definitions
Covered Transactions
Healthcare or dental claims administration
Healthcare eligibility
Benefits enrollment and maintenance
Payroll deduction and group premium payment
Retail pharmacy transactions
Copyright 2010 MHM Resources LLC 12
HIPAA Definitions
Business Associate
A person, business, or agency that conducts covered transactions for another legal entity.
Copyright 2010 MHM Resources LLC 13
HIPAA Definitions
Business Associate Agreement
The health plan must engage in a Business Associate Agreement with all Business Associates.
Copyright 2010 MHM Resources LLC 14
HIPAA Definitions
Protected Health Information (PHI)
Individually identifiable medical information in any form, including oral communication that is created or received by a covered entity or employer.
Breach of Unsecured PHI
A breach is the unauthorized access, use or disclosure of unsecured PHI.
PHI must be encrypted or destroyed
In motion, in use, at rest
Access controls do not make PHI secure
Copyright 2010 MHM Resources LLC 15
HIPAA Definitions
Significant risk of harm to individual
Immediate steps were taken to obtain guarantee that PHI will not be used or disclosed
PHI returned prior to be accessed
Determine type or amount of PHI disclosed
Copyright 2010 MHM Resources LLC 16
HIPAA Definitions
Copyright 2010 MHM Resources LLC 17
HIPAA Overview
Individuals “own” their PHI
HIPAA defines what PHI is
Privacy notice tells employees how their PHI will be used and disclosed. No other notice is required
Privacy notice gives employees certain rights to their PHI
Copyright 2010 MHM Resources LLC 18
Where does PHI Come From?
Fax
Front desk
Phones
Electronically
Orally, in person
Copyright 2010 MHM Resources LLC 19
Who Can See PHI?
Covered entities with privacy policies in place
Business Associates that have signed Business Associate Agreements in place with the covered entities and also have privacy policies in place
Individual employees may review and change their own PHI
Copyright 2010 MHM Resources LLC 20
When Can You Reveal PHI?
Healthcare operations
Payment
Treatment
As permitted or required by law
Pursuant to an authorization
Copyright 2010 MHM Resources LLC 21
When Can You Reveal PHI?
Identify individual with whom you are speaking
Verify SSN, gender, birth date, and/or address
Authorization signed by participant
“Minimum Necessary” standard
Reveal the minimum necessary information when releasing information
Copyright 2010 MHM Resources LLC 22
Applies to All Covered Entities
Employers are generally not covered entities
A covered entity may not freely share an individual's PHI with the employer or a non-health plan.
Copyright 2010 MHM Resources LLC 23
Protect PHI in Your Office
Train all workers with access to PHIDon’t enter PHI into a software system
or program unless information encrypted while at rest or in transit
Create a “clean desk” policy Store PHI under lock and keyDon’t discuss an individual’s health
information in publicIdentify callers
Copyright 2010 MHM Resources LLC 24
Protect PHI in Your Office
Letters to participants should not contain their SSNs
Offsite storage Retain complete list of claim forms, etc.
offsite Use security tape on boxes to reveal
unauthorized entry.
TrashShredding
Copyright 2010 MHM Resources LLC 25
Protect Participant’s Privacy
Right to inspect and copyAccounting of disclosuresAmendRequest restrictionsRequest confidential communicationsRight to receive a paper copy of the
privacy notice
Copyright 2010 MHM Resources LLC 26
Employers
Employer puts in place HIPAA privacy policies and procedures
Plan documents and Summary Plan Descriptions for all employer-sponsored health plans
Assign a HIPAA Compliance OfficialEmployer must certify to plan that
HIPAA privacy rules are being followed
Employers
The health plan must distribute a notice of privacy practices for employees
Business Associate Agreements must be in place
Train workforce on HIPPA compliance
Train workforce on breach reporting
Copyright 2010 MHM Resources LLC 27
Breach Notification
Accounting for Disclosures of PHI
PHI may be disclosed for public policy and safety reasons and other mandatory disclosures listed below without an individual’s authorization
These disclosures must be logged since they were disclosed without the individual’s knowledge. The disclosure log must be made available to the individual upon request.
Copyright 2010 MHM Resources LLC 28
Breach Notification
Individuals must be notified if their PHI has been disclosed and the information is unsecured PHI
Safe harbor to avoid breach notification:
Encryption whether PHI is at rest, in use or in transit
Destruction
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/
Copyright 2010 MHM Resources LLC 29
Copyright 2010 MHM Resources LLC 30
Plan Service Provider
HIPAA privacy policies and procedures
Business Associate Agreements must be in place between the plan service provider (Business Associate) and the plan.
Copyright 2010 MHM Resources LLC 31
Exception to Compliance
Self-administered health plans with fewer than 50 participants are exempt from privacy compliance
Copyright 2010 MHM Resources LLC 32
Civil and Criminal Penalties
Substantial civil and criminal penalties apply to noncompliance of HIPAA regulations
Be aware of your state laws
Get legal counsel
HIPAA
Privacy – Your business depends on it